Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0821 Ruby 2.5.4 and 2.6.2 released 14 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Publisher: Ruby Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Delete Arbitrary Files -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-8325 CVE-2019-8324 CVE-2019-8323 CVE-2019-8322 CVE-2019-8321 CVE-2019-8320 Reference: ESB-2019.0678 Original Bulletin: https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-6-2-released/ Comment: This bulletin contains two (2) Ruby security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Ruby 2.5.4 Released Posted by nagachika on 13 Mar 2019 Ruby 2.5.4 has been released. This release includes bug fixes and a security update of the bundled RubyGems. See details in Multiple vulnerabilities in RubyGems and the commit logs . Download o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.4.tar.bz2 SIZE: 14167366 bytes SHA1: ac3248a055b5317cec53d3f922559c5b4a67d410 SHA256: 8a16566207b2334a6904a10a1f093befc3aaf9b2e6cf01c62b1c4ac15cb7d8fc SHA512: 3c4f54f38ee50914a44d07e4fd299e53dddd045f2d38da2140586b8a9c45d1172fec2ad5b0411c228a9b31f5e161214820903a65b98caf3b0dfeeaabf2cab6ad o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.4.tar.gz SIZE: 15995815 bytes SHA1: 330bb5472f565b683c7f8c9091d4ee0cc155b51b SHA256: 0e4042bce749352dfcf1b9e3013ba7c078b728f51f8adaf6470ce37675e3cb1f SHA512: 6e58006c30d8ae561967e051ec0a34f34f899eee1b039abb65c9a63dc65965e210d238fff19fa7c7411893df25dfc40426887a195993153fb9e09bbf769dfc14 o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.4.tar.xz SIZE: 11493016 bytes SHA1: 221b8538e75a8d04af8b9a09f56343e463bf94f8 SHA256: 46f6eff655a6be1939f70c7a4c1bf58f76663e7e804738bc52f4d47ca31dee3d SHA512: e72294e549d09510f20c808d26a0d21ef0ee2616d8598980a42db260d45340e5c259ac65e5478a8b086042ff6ba7d8447a6c8115454ffe977c4f63175ab89062 o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.4.zip SIZE: 19186174 bytes SHA1: 855be9a5a43a1e0621ad2e81c27de9370d2abcc8 SHA256: 823a6a2c9c7baa18554fd78d430837a01ab33cc16ad1759c9842bdd9523e9cea SHA512: a83f90514b09c217fbbd154cfc09c804553353a97cbff7df24185b613e1c7be69a965fe9ec925ac3f4bd6170f2c3d0d60be7ea4ab1037ce64300d7443b6e08e8 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - -------------------------------------------------------------------------------- Ruby 2.6.2 Released Posted by naruse on 13 Mar 2019 Ruby 2.6.2 has been released. This release includes bug fixes and a security update of the bundled RubyGems. See details in Multiple vulnerabilities in RubyGems and the commit logs . Download o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.2.tar.gz SIZE: 16777765 bytes SHA1: 44c6634a41f63ebdc1f3ce6ddcf48a4766bb4df7 SHA256: a0405d2bf2c2d2f332033b70dff354d224a864ab0edd462b7a413420453b49ab SHA512: bc96a6793a1e3111598b82b0aad98dc5b465e39cdb5b788c4259818752e028a44545c6489c02c323db0f43a362c26f0900acfba0277d6e2201587d7252f6125f o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.2.zip SIZE: 20601169 bytes SHA1: fce5c289842e6e4c4bc7950214d82c0858086baa SHA256: 65b862e5c86346d6bda05fc193c6f2cd728ddfd357f4b0a19d54d48a50984d13 SHA512: 60ccabbca50d51186b6715edcd8e4fa704e8b9159a23f073e8d3aafef3858a98ade416156af94a479d1af5555c4c4b5b71267f0f563a518e5e6112ce9921bb8b o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.2.tar.bz2 SIZE: 14634343 bytes SHA1: 5839fc6e6568ac4f26a20382bd8fe0d998dffbb0 SHA256: d126ada7f4147ce1029a80c2a37a0c4bfb37e9e82da8816662241a43faeb8915 SHA512: cad678d2ced4085e99009e4fef83c067dd0e6ead27a8695bc212c0e5112a7fa09ceb27f82638faf91932ef8bdd090f844e0a878ffdf6845a891da4b858588aa0 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.2.tar.xz SIZE: 11889840 bytes SHA1: b7b3432519f80ea50adc9bfb937c7a46865a93d5 SHA256: 91fcde77eea8e6206d775a48ac58450afe4883af1a42e5b358320beb33a445fa SHA512: 13f7d7b483a037378eac4bf4bebddc21d69f4e19e6bbb397dd53e7518037ae9a3aa5b41fc20bf1fe410803c6efc3a6a65a65af47648d3a93713f75cfe885326a Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXInHe2aOgq3Tt24GAQgN4w//fEayGrhzXHewpX+Hw7cErGaj4iss9W4q SLMtYmnhEpc4m3zIJMwSWs9sd8QPPDCUQDZLRtcXYB8ZbNT1Z+Y6DHPYdl54mJZU iWf3DJO2aWM2Kb+WpKTHRo9t+HcZk5gEQmDr3Ttx3rEFopSBar7PCJ6Gvu+lpmeP LMwORhqeeIXvvzYSNJhteUpjt8E7JJt1ygyv+Rh1sSyaT2U8mgtFc2hqLFUBzeJK kKFtURVkut761Fc7uv6sBQVGm5S+7+nh2r6rv6n56yMRPZF/H7P4gbTpHGQP0O+5 rNYuyxWiJQ0HIkYjSvJH8YZahOkPzK11d3ne4VzNNzcev55Uena6SorC2JTET+Mu Ir+KHdmirgY/jEkxSbcBxguGwrtfYquz0gWrnZaQhxHDp7QJyNtlQpXeFoy98HNS gDG5UueYMHFz+JCv/w+44TU7jQnlSf22kL+AnGFT2UUNzwmzrs9hrjsqHAOdY2Wz xcaRTlrO96w5SBE2pKEG76aEDOMuah+QORHeJF6MCVfn2XRsCvS7ygzFL1TViVAJ toHd7ZUt7dFQLorbLWYSWlvbqak3BhMzqsyNQk1fqtKexrVdwfPdw4MLbUK9JQ1E CO6sjsshOcVcleDbTwcOpU6IbYAXfgYtzfzu98oZzj7ww6JoFORdmoyN4wsKASJ2 NRDAAqBnCJk= =/2kl -----END PGP SIGNATURE-----